Are Windows Event Logs displaying local time or UTC? There’s a trap!

Often the question arises to know if the time stamps in the Windows Event Logs are local or UTC. The answer is more subtle than that. Let’s discuss which time zone is used in the Windows Event Logs and where.

First of all, please note that this discussion apply to the “Operating System Event Logs” you can view with the Event Viewer, such as Application, System, Security and the newer Vista-like Logs such as CAPI/Operational. It does not apply to the various “.log” files you can find in the temp folders, such as the installation traces of Visual Studio.

If you look at your PC or server right now, you will see that the events seem displayed with your local time. But beware This is only valid for the field “Date and Time” as the timestamp is recorded in fact as UTC and the offset is calculated by the client application.

However anything else is just text and is recorded as such so it is recorded by using the timezone of the application which recorded the message. Sounds logical but unclear about the consequences. Let’s take the unexpected shutdown event of a server far far away in another datacenter you would monitor.

You could end up with messages such as:

Log Name: System
Source: EventLog
Date: 24/08/2021 07:30:36
Event ID: 6008
Task Category: None
Level: Error
Keywords: Classic
User: N/A
The previous system shutdown at 09:30:12 on ‎24/‎08/‎2021 was unexpected.

The timestamp of the event was perfectly recorded as a UTC time value which is converted by the application you are using on your own PC to look at the logs whereas the message that the previous shutdown was unexpected is a text message formatted by the machine in its own time zone.

To demonstrate this, you can execute the following powershell script. (You’ll hear a nice sound when your time zone changes).

In the above example, the Time field is changed when you’re changing your time zone, whereas the message remains identical.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.